Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Networking Privacy The Internet Hardware

New Privacy Vulnerability In IOT Devices: Traffic Rate Metadata ( 24

Orome1 quotes Help Net Security: Even though many IoT devices for smart homes encrypt their traffic, a passive network observer -- e.g. an ISP, or a neighborhood WiFi eavesdropper -- can infer consumer behavior and sensitive details about users from IoT device-associated traffic rate metadata. A group of researchers from the Computer Science Department of Princeton University have proven this fact by setting up smart home laboratory with a passive network tap, and examining the traffic rates of four IoT smart home devices: a Sense sleep monitor, a Nest Cam Indoor security camera, a WeMo smart outlet, and an Amazon Echo smart speaker... "Once an adversary identifies packet streams for a particular device, one or more of the streams are likely to encode device state. Simply plotting send/receive rates of the streams revealed potentially private user interactions for each device we tested," the researchers noted. [PDF]
In addition, the article notes, "Separating recorded network traffic into packet streams and associating each stream with an IoT device is not that hard."
This discussion has been archived. No new comments can be posted.

New Privacy Vulnerability In IOT Devices: Traffic Rate Metadata

Comments Filter:
  • This has been known for a few decades. That it is now for IoT does not make it any more interesting.

    • by Anonymous Coward

      It's very interesting if you are trying to get research funds for the INTERNET OF.... THINGS!

    • IoT security or the lack thereof is a real hot topic at the moment. That makes it more interesting for a lot of people... i.e. this research is a bit like click-bait (or grant-bait).

      By the way: burglars (whether they are of the drive-by variety or the more clever ones who target high value marks specifically) in most cases do not have the smarts to employ such methods. They will have to pay someone to do it for them... and in that case there are far simpler (thus cheaper) methods to determine if you're
  • ... I'm running analytics on any WiFi I hook to via standard apps and the goddam things self-identify.

  • If my home uses a service that "consumes" some sort input, then you can infer my household activity based on the rates of consumption and when. What makes IoT so different?

  • by Anonymous Coward on Sunday May 28, 2017 @06:12PM (#54502875)

    Radio raffic rates have been used as early as Cold War to anticipate moves of the adversary - there're plenty of mentions of this in literature. It made me laugh when recently some clueless US official dismissed the threat from a Russian reconaissance ship near US because it "won't be able to decrypt US communications with its outdated technology".

  • The fact that traffic flow pattern contains potentially sensitive information is not at all new. I built a product that solved this problem for some companies all most two decades ago. There is something new to this problem that didn't emerge until the recent boom in machine learning capabilities. Machine learning is really good at one thing - pattern recognition. When applied to this problem, it really opens up the depth of information that can be gathered from data flow patterns. For starters, it can identify what flow belongs to what device, then it can identify what could cause this traffic, then it can combine all the devices behavior looking for more complex patterns. Just looking at your home Internet, it's not hard to identify who is home, are they awake or sleeping or exercising or
    watching TV or doing taxes or whatever. Products using this are just emerging, but it's amazing what can be gleaned from just Internet traffic pattern, or electricity usage pattern (or combined!).

    • Well, to be fair that was never very hard for some use cases. I see here that he is doing an HTTP get from, so he clearly is never exercising!
  • by DERoss ( 1919496 ) on Sunday May 28, 2017 @06:29PM (#54502935)

    If a house with extensive I0T devices is being monitored, the mere existence of Internet traffic can be a serious problem. If such traffic ceases or merely drops, that can be an indicator that no one is home, making the house a target for burglars.

    More than four years ago, this vulnerability was described relative to so-called smart electric meters. The lack of encryption in the signals transmitted by those meters made it even easier to determine which houses should be targeted for burglary. That is because a vacant house might still have a refrigerator running or a lamp left on. With no encryption, the meter readings can be analyzed to determine the amount of electricity being used. Minimal usage means no one is home. The reality of this vulnerability was described in a research paper presented at the 19th ACM Conference on Computer and Communications Security in 2012.

    • This vulnerability has been well known and documented far earlier as well. For instance, military networks (used to? still do?) fill most of the remaining capacity in their channels with junk data that's designed to be indistinguishable from real data that's been encrypted, that way an adversary listening passively can't tell when there's more activity.

  • due to dubious cost:benefit ratio.
    • by Anonymous Coward

      As far as I am concrned, all of this IoT crap has NO benefits at all except for the companies that are using them to spy on the people who buy them!

  • Lights on in the home are indication that residents are at home! News at 11.

    • by SeaFox ( 739806 )

      Lights on in the home are indication that residents are at home!

      Just like the timer on the table lamp making the lights go on and off like someone's home when you're gone, it wouldn't be that hard to do the same things to add noise to the IoT info. Have an automated recording make unnecessary requests to the Amazon Echo (8pm: recording has Echo play Hootie and the Blowfish songs for a half hour), or send signals to WeMo outlets to turn things on/off.

  • Ah, folks, well known issue in communications. Even if you can't crack the encryption, looking at WHO is talking when, and who is talking to whom (or who broadcasts, and who replies) is well known in ELINT fields, like for decades. The ways around it are known too - false transmissions/replies etc. If I always, and I mean ALWAYS send data at the same rate (by sending non important traffic at all times) make traffic analysis hard, or if I build in code to randomly add bursts of traffic, all this starts to get complex, as now you have to do statistical analysis to see if there really is something there or not.
    Crypto/ELINT guys have worried about this kind of stuff for decades

  • by houghi ( 78078 ) on Monday May 29, 2017 @07:49AM (#54504741)

    I was looking for a remote thing to turn on and of a light. Only one said that the information would be send to a server in China. All the rest did not talk about it and made it appear as if it would only connect to your router and then you could connect to it with your cellphone.

    And I have looked at many of them in several countries. So if I, who understands a little bit about Internet, can almost be fooled in buying one, How will the 95% of the people who have no idea protect themselves?

    People have NO idea what is going to be send, where it is going to be send and how to protect themselves of sending or receiving things.

    Because if they did, we would not getting any more spam.

  • Straw man argument depends on the breaking of the WiFi network. Of course if you're on the network you can monitor activity. However, breaking WiFi remains a serious challenge for over a decade.

    Another non-story.

Machines certainly can solve problems, store information, correlate, and play games -- but not with pleasure. -- Leo Rosten